Web Server Security

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

The Web Server is designed to run over a network and function as an extensible network server. This topic covers the security risks and best practices for configuring the web server.

The Web Server has the following potential security risks:

  • The Web Server is designed to run over a network. If the device is run over a public network, such as the Internet, and the security of the device is compromised, it could expose the device or the local network to the public network.
  • The Web Server is designed to function as a network server. If the security of the Web Server is compromised, it could expose the device or local network to multiple remote clients.
  • The Web Server is extensible. If the extensions do not use proper security and authentication procedures, they could compromise the security of the device or the local network.

Best Practices

Limit deployment to ten connections simultaneously

A typical deployment uses a Web Server in a private network to provide a remote user interface to configure a headless device. The registry defines the number of connections and when the MaxConnections registry value is not set, the registry limits the number to 10.

Do not use the Web Server to perform critical operations

A typical deployment uses the Web Server to display status information or to host a family or community Web site. You should not use the Web Server to perform critical operations, such as machine control or financial processing.

Use authentication

Use the NTLM or Basic authentication mechanism to limit access to known users only. You can set the option in the HKEY_LOCAL_MACHINE\COMM\HTTPD registry key. For specific security information, see Base Registry Settings. For more information about authentication, see Web Server Authentication and Permissions.

Use Secure Sockets Layer (SSL)

The SSL protocol helps to protect data from packet sniffing by anyone with physical access to the network. For more information, see SSL Support.

Use user access lists

Carefully choose your virtual roots and limit access to the appropriate files by providing appropriate user access lists. Anonymous users with access to the virtual root may be able to access files and directories within that virtual root. You can set the options in HKEY_LOCAL_MACHINE\COMM\HTTPD\VROOTS registry key. For specific security information, see Setting Virtual Paths. See also Web Server Authentication and Permissions.

Default Web Server Registry Settings

You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Note for those values with security implications.

For Web Server registry information, see:

Web Server Registry Settings.

Web Server Security

Web Server Registry Settings

Web Server Ports

The following table shows the ports that the Web Server uses, for details see Web Server Registry Settings.

Port number Registry values

80

Port value in HKEY_LOCAL_MACHINE\COMM\HTTPD

443

Port value in HKEY_LOCAL_MACHINE\COMM\HTTPD\SSL

See Also

Concepts

Web Server Registry Settings
WebDAV Security
Web Server Registry Settings

Other Resources

Web Server (HTTPD)